Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft SharePoint ToolShell actively exploited zero-day (CVE-2025-53770)

Vulnerability
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-53770 ToolShell is an actively exploited zero-day in Microsoft SharePoint on-premise servers, exposing systems to remote unauthenticated code execution and full file-system access. Microsoft issued emergency updates on July 21, 2025 after the flaw was abused in attacks. The vulnerability has been used against government, university, telecom, and finance targets, making the risk immediate for exposed deployments.

Related Happenings

Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)

Advisory/Mitigation
First: 20.05.2026 10:31 Last: 20.05.2026 10:31 Sources 1

About this happening: Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...

Open Happening

Rising critical Microsoft vulnerabilities across Windows, Azure, Dynamics 365, and Office

Target Trend
First: 19.05.2026 17:00 Last: 19.05.2026 17:00 Sources 1

About this happening: Microsoft’s vulnerability volume stayed broadly stable, but **critical flaws** doubled year over year across **Windows, Azure, Dynamics 365, and Office**, increasing the likelihoo...

Open Happening

Rwl.angular-console (Nx Console) hit by network compromise

Incident
First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery

Security Tool/Service
First: 08.04.2026 12:16 Last: 08.04.2026 12:16 Sources 1

About this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...

Latest development: 23.05.2026 14:55

Anthropic said Project Glasswing has uncovered more than 10,000 high- or critical-severity vulnerabilities across widely used software since the program launched last month, including 6,202 high/critical flaws affecting more than 1,000 open-source projects, 1,726 validated true positives, 1,094 high/critical flaws, a critical WolfSSL flaw tracked as CVE-2026-5194 with CVSS score 9.1, 97 upstream patches, and 88 advisories.

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Timeline

  1. 22.10.2025 13:24 1 articles · 7mo ago

    ToolShell active exploitation disclosed for SharePoint servers

    Initial Disclosure

    CVE-2025-53770 was disclosed as an actively exploited zero-day affecting on-premise Microsoft SharePoint servers, with attacks already targeting government agencies, universities, telecommunication service providers, and finance organizations.

    Show sources
    Open in new tab
  2. 22.10.2025 13:24 1 articles · 7mo ago

    Microsoft issues emergency SharePoint updates for ToolShell

    Mitigation Patch Update

    Microsoft released emergency updates for CVE-2025-53770 on July 21 after the SharePoint zero-day was disclosed the previous day, providing a patch path for exposed on-premise servers.

    Show sources
    Open in new tab
  3. 22.10.2025 13:24 1 articles · 7mo ago

    ToolShell intrusion on a Middle East telecommunications provider

    Technical Analysis Update

    On July 21, CVE-2025-53770 exploitation against a telecommunications service provider in the Middle East planted webshells for persistent access, then used DLL side-loading with legitimate Trend Micro and BitDefender executables to launch Zingdoor, a suspected ShadowPad Trojan, KrustyLoader, Sliver, ProcDump, Minidump, LsassDumper, PetitPotam (CVE-2021-36942), Certutil, GoGo Scanner, and Revsocks.

    Show sources
    Open in new tab
  4. 22.10.2025 13:24 2 articles · 7mo ago

    Broader ToolShell campaign spans four regions

    Campaign Scope Update

    Assessment of ToolShell activity links compromises in the Middle East, South America, the U.S., and Africa to government, university, telecom, and finance targets, with malware typically associated with Salt Typhoon and evidence that the vulnerability was used by a larger set of Chinese threat actors than previously known.

    Show sources
    Open in new tab